Calculate Average for distinct field

splunknewbie420 · ‎03-16-2016

I have following data in my splunk results

ReportID Timedelay time Label
123 5 10:00AM Label A
123 10 10:15AM Label A
456 7 10:00AM Label B
456 9 10:03AM LabelB

I am trying to get an average of timedelay per 5 minutes, but I only wanted to get the maximum value of timedelay for each report
so for example I wanted to get average of 10+9 in the above example. Could someone please help me with a query I can use. Appreciate any help and your time. Thanks

somesoni2 · ‎03-16-2016

Can you provide the search that is generating the above splunk results? Also, if you want an average of time delay per 5 min with max value of timedelay for each report, for period 10:00AM to 10:05AM, shouldn't you be averaging 5 (for A)+9 (for B)??

dcarmack_splunk · ‎03-16-2016

Give this a try

earliest=-5m@m index=<myindex> sourcetype=<mydata> | fields Timedelay Label | eventstats max(Timedelay) AS max_Timedelay by Label | stats avg(max_Timedelay) AS avg

if you want the same results over a large window of time, you can do this

earliest=-24h index=<myindex> sourcetype=<mydata> | fields Timedelay Label | bucket span=5m __time | eventstats max(Timedelay) AS max_Timedelay by Label _time | stats avg(max_Timedelay) AS avg by _time

Calculate Average for distinct field

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle

Are you a member of the Splunk Community?

Calculate Average for distinct field

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle